Wednesday, February 01, 2012
Monday, April 09, 2007
An inside look into building and releasing MS07-017
As part of that, we not only investigate the specific issue that was reported to us, but any surrounding issues. Customers have told us clearly that they want us to make the security update as comprehensive as possible, they don’t want to have to apply multiple updates to address issues in the same components. So our triaging stage focuses on finding as many related issues as possible... Every vulnerability reported to Microsoft is triaged personally by a member of my team (in this case it was Adrian Stone) and they work on those issues reported to us end-to-end until the point we are able to produce an update that helps protect customers. In many cases, there is a delicate balance we strive to strike between meeting customer needs, our ability to test an update for appropriate quality and protecting customers against possible attacks...Read the post in MSRC blog.
Labels: MSRC
Friday, April 06, 2007
MOPB full review
...Read the full story.
--without-iconv
--disable-json
--disable-mbregex
--disable-pdo
--disable-posix
--disable-reflection
--disable-filter
--disable-session
--disable-spl
--without-sqlite
--disable-tokenizer
--disable-libxml, --disable-xml, --disable-dom, --disable-simplexml, --disable-xmlreader & --disable-xmlwriter
...
Labels: php, secure installation
Thursday, April 05, 2007
Physical Security in Mission Critical Facilities
Technologies are in place, and getting less expensive, to implement broad range solutions based on the identification principles of What you have, What you know, and Who you are. By combining an assessment of risk tolerance with an analysis of access requirements and available technologies, an effective security system can be designed to provide a realistic balance of protection and cost.Download the pdf file (25 pages) - through 'netsec.blogspot.com'.
Labels: physical security
Monday, February 12, 2007
Top Ten Threats for 2007
1. 100% growth in revenue for cyber crimeRead Richard Stiennon's predictions for 2007.
2. DDoS in support of phishing attacks
3. Successful DDoS attack against a financial services firm
4. Attacks against DNS are the threat of the year
5. No abatement in identity theft
6. More attacks against wireless networks
7. MySpace grows up and gets secure
8. YouTube abuse threatens site
9. Network infrastructure shows signs of overloading
10. Spread of Windows Vista will have zero impact on the overall threatscape
Labels: threat
Friday, February 02, 2007
Stack Overflow IRC Lecture
Title: Stack Overflow IRC LectureYou can find it here.
Author/Lecturer: Aelphaeis Mangarae
Website: http://blackhat-forums.com
IRC: IRC.BlueHell.Org #BHF
Topic: Win32 Stack Based Buffer Overflow Exploitation
Labels: Buffer Overflow
Wednesday, January 31, 2007
Marcus J Ranum (MJR) and Bruce Schneier on Full Disclosure
Marcus J Ranum (MJR) says:Haha... See the full battle on securiteam blog.
- “After 10 years of full disclosure, security has not gotten any better”.
Bruce says:
- “Bugs exist whether or not they are disclosed in a public forum. Vendors are more responsive when it could cause bad PR. Public disclosure forces vendors to more quickly fix flaws which makes systems more secure”.
Labels: full disclosure, security
Thursday, January 25, 2007
The best practices for network security in 2007
Here's my best practice list, in order of importance:Read the article (by Gary S. Miliefsky)
1. Roll out corporate security policies
2. Deliver corporate security awareness and training
3. Run frequent information security self-assessments
4. Perform regulatory compliance self-assessments
5. Deploy corporate-wide encryption
6. Value, protect, track and manage all corporate assets
7. Test business continuity and disaster recovery planning
Wednesday, January 24, 2007
Sunday, January 21, 2007
Chinese Prof Cracks SHA-1 Data Encryption Scheme (OR) SHA-1 added to list of "accomplishments"
The reason for this change is that 41-years old associate professor Wang Xiaoyun of Beijing's Tsinghua University and Shandong University of Technology has already cracked SHA-1... Professor Wang Xiaoyun, a graduate of Shandong University of Technology's mathematics department, and her research team obtained results by using ordinary personal computers... Wang's method of cracking the encryptions differs from all others. Although encryption analysis usually cannot be done without the use of computers, according to Wang, the computer only assisted in cracking the algorithm. Most of the time, she calculated manually, and manually designed the methods.Read the article and slashdot discussion.